b'                                                                Issue Date\n                                                                     December 3, 2010\n                                                                Audit Report Number\n                                                                     2011-DP-0003\n\n\n\n\nTO:        Douglas A. Criscitello, Chief Financial Officer, F\n\n             //s//\nFROM:      Hanh Do, Director, Information Systems Audits Division, GAA\n\nSUBJECT: HUD Did Not Fully Comply With the Requirements of OMB Circular A-127\n\n\n                                   HIGHLIGHTS\n\n What We Audited and Why\n\n            We audited the U.S. Department of Housing and Urban Development\xe2\x80\x99s (HUD)\n            ability to comply with the requirements of Office of Management and Budget\n            (OMB) Circular A-127, which was revised in January 2009 and became effective\n            on October 1, 2009. We conducted the audit as a component of the audit of\n            HUD\xe2\x80\x99s consolidated financial statements for fiscal year 2010 under the Chief\n            Financial Officer\xe2\x80\x99s Act of 1990.\n\n\n What We Found\n\n\n            HUD did not fully comply with the requirements of OMB Circular A-127.\n            Specifically, HUD had not (1) initiated plans to review financial management\n            systems for compliance with computer security and internal control guidelines;\n            and (2) accurately identified HUD\xe2\x80\x99s financial management systems within its\n            financial system inventory listing. Additionally, although progress has been\n            made, we continue to have concerns regarding HUD\xe2\x80\x99s integrated core financial\n            system.\n\x0cWhat We Recommend\n\n\n           We recommend that the Office of the Chief Financial Officer take appropriate\n           steps to move into compliance with the requirements of OMB Circular A-127.\n\n           For each recommendation without a management decision, please respond and\n           provide status reports in accordance with HUD Handbook 2000.06, REV-3.\n           Please furnish us copies of any correspondence or directives issued because of the\n           audit.\n\n\nAuditee\xe2\x80\x99s Response\n\n\n           The draft audit report was issued on October 19, 2010, and written comments\n           were requested by October 26, 2010. We received written comments dated\n           October 28, 2010. The addressee generally agreed with the recommendations in\n           our report.\n\n           The complete text of the auditee\xe2\x80\x99s response, along with our evaluation of that\n           response, can be found in appendix A of this report.\n\n\n\n\n                                            2\n\x0c                        TABLE OF CONTENTS\n\nBackground and Objective                                            4\n\nResults of Audit\n\n      Finding 1: HUD Did Not Fully Comply With OMB Circular A-127   6\n      Requirements\n\n      Finding 2: Concerns Remain Regarding HUD\xe2\x80\x99s Integrated Core    11\n      Financial System\n\nScope and Methodology                                               17\n\nInternal Controls                                                   18\n\nFollow-up on Prior Audits                                           19\n\nAppendixes\n\n      A. Auditee Comments and OIG\xe2\x80\x99s Evaluation                      20\n\n\n\n\n                                     3\n\x0c                           BACKGROUND AND OBJECTIVE\n\nOffice of Management and Budget (OMB) Circular A-127 prescribes policies and standards for\nexecutive departments and agencies to follow concerning their financial management systems.\nCircular A-127 was issued in 1984 and revised periodically to update policies and procedures,\nremove outdated information, and provide clarification as needed. The most recent revision to\nCircular A-127 was issued in January 2009 and became effective October 1, 2009. The revisions\nwere intended to provide greater consistency in determining Federal Financial Management\nImprovement Act of 1996 (FFMIA) compliance and further strengthen financial management.\nOMB pointed out that the revised circular should be used for financial reports and audits for\nfiscal year 2010 and thereafter. Early implementation was encouraged.\n\nThe January 2009 revision of Circular A-127 incorporated new requirements for agencies to use\nfinancial management shared service providers to implement and maintain their core financial\nsystems. Additionally, agencies were required to use certified configurations for their core\nfinancial systems and adopt standard government business processes established by the Financial\nSystems Integration Office 1 (FSIO). Further, pursuant to FFMIA, 2 the circular now includes and\nclarifies the guidance for reporting substantial compliance with FFMIA. While the revised\ncircular introduced these new requirements, it did not eliminate requirements pertaining to\ncomputer security, 3 internal controls, 4 and maintaining financial management system plans and\nan agency wide inventory of financial management systems. Within HUD, the Office of the\nChief Financial Officer (OCFO) is responsible for ensuring compliance with OMB Circular A-\n127.\n\nHUD has three separate program areas with financial information that must be consolidated to\nproduce financial statements that reflect its financial condition. These three areas, (1) the\nFederal Housing Administration (FHA), (2) the Government National Mortgage Association\n(Ginnie Mae), and (3) the remaining HUD program areas summarized by the OCFO (i.e., Public\nand Indian Housing (PIH) and Community Planning and Development (CPD)), each use separate\nfinancial applications to accomplish the required financial functions.\n\nFor several years, we have reported a significant deficiency in the consolidated financial\nstatement audit report regarding HUD\xe2\x80\x99s lack of full compliance with Federal financial\nmanagement system requirements. To address this deficiency, HUD initiated the HUD\n\n1\n  The Financial Systems Integration Office (FSIO), within the General Services Administration, was formerly\nknown as the Joint Financial Management Improvement Program (JFMIP) staff office. FSIO\xe2\x80\x99s major areas of\nresponsibility included requirements development, testing and product certification for core financial systems.\n2\n FFMIA is intended to advance Federal financial management by ensuring that Federal financial management\nsystems can routinely provide reliable financial information uniformly across the Federal Government following\nprofessionally accepted accounting.\n3\n Security controls requirements are defined by the Federal Information Security Management Act and Circular A-\n130 and/or successor documents.\n4\n  Internal controls requirements are the internal control objectives of Circular A-123, which ensure that resource use\nis consistent with laws, regulations, and policies; resources are safeguarded against waste, loss, and misuse; and\nreliable data are obtained, maintained, and disclosed in reports.\n\n\n                                                          4\n\x0cIntegrated Financial Management Improvement Project (HIFMIP) to move to an integrated core\nfinancial system (ICFS). HIFMIP was initially intended to replace the five financial applications\nthat currently perform the core financial functions (collecting, processing, maintaining,\ntransmitting, and reporting data regarding financial events) with one integrated financial system\nsolution. HUD expected that HIFMIP would:\n\n    \xe2\x80\xa2   Provide direct access to standardized, accurate, timely information;\n    \xe2\x80\xa2   Reduce the number of systems;\n    \xe2\x80\xa2   Provide efficient reporting and fiscal year end closings; and\n    \xe2\x80\xa2   Provide efficient programmatic data for budget formulation.\n\nThe base period of performance for the HIFMIP contract was planned to last 18 months. Plans\nalso called for eight 12- month options and one six month option. However, due to multiple\nprotests and changes in requirements by OMB, a contract for HIFMIP was not awarded until\nSeptember 2010.\n\nThis audit was performed as a component of our annual consolidated financial statements audit\nfor fiscal year 2010 under the Chief Financial Officer\xe2\x80\x99s Act of 1990 5. Our overall objective was\nto evaluate HUD\xe2\x80\x99s compliance with the requirements of OMB Circular A-127, which was\nrevised in January 2009 and became effective October 1, 2009.\n\n\n\n\n5\n  The CFO Act requires that annual financial statements be prepared and audited for each CFO Act agency covering\nall accounts and associated activities of each office, bureau, and activity of the agency. The CFO Act also requires\nthat the financial statements prepared pursuant to the act be audited in accordance with applicable generally\naccepted government auditing standards.\n\n\n                                                         5\n\x0c                                      RESULTS OF AUDIT\n\nFinding 1: HUD Did Not Fully Comply With OMB Circular A-127\nRequirements\nHUD did not fully comply with all requirements specified in OMB Circular A-127. Specifically,\nHUD had not (1) initiated plans to review financial management systems for compliance with\ncomputer security and internal control guidelines; and (2) accurately identified HUD\xe2\x80\x99s financial\nmanagement systems within its financial system inventory listing. Changes in requirements by\nOMB led HUD to change its position regarding its financial management systems. By not\nmeeting the financial system requirements of OMB Circular A-127, HUD could not be assured\nthat its financial management systems were reasonably secured and met Federal internal control\nrequirements. This increases the risk that the annual financial statements would not be\neffectively and reliably produced.\n\n\n\n    HUD Did Not Perform\n    Required Reviews of Its\n    Financial Management Systems\n\n\n\n                 Both the older and revised versions of OMB Circular A-127 require that financial\n                 management systems 6 be reviewed for compliance with Federal computer\n                 security and internal control requirements. Before FY 2005, HUD used\n                 contractors to perform the Circular A-127 reviews of its financial management\n                 systems. During FY 2005, HUD conducted an A-76 streamlined competition 7 to\n                 determine whether it was more cost efficient to perform A-127 compliance\n                 reviews with government staff resources. In 2006, HUD won the right to perform\n                 the A-127 compliance reviews. Since then, however, HUD had not performed the\n                 required number of A-127 compliance reviews. The HUD Office of Inspector\n                 General (OIG) reported this condition in its FY 2008 financial statement audit\n                 report. 8 HUD had not taken corrective action to address this weakness and ensure\n6\n A financial management system includes the core financial systems and the financial portions of mixed systems\nnecessary to support financial management, including automated and manual processes, procedures, and controls,\ndata, hardware, software, and support personnel dedicated to the operation and maintenance of system functions.\nExamples of financial management systems include: core financial systems, procurement systems, loan systems,\ngrants systems, payroll systems, budget formulation systems, billing systems, and travel systems.\n7\n The A-76 streamlined competition allows an agency to perform a cost-based public vs. private competition to\ndetermine whether a commercial activity should be performed by government personnel when the number of\npersonnel required to complete the task is fewer than 65. The purpose of the competition is to ensure that the\nAmerican people receive maximum value for their tax dollars.\n8\n OIG Audit Report number 2009-FO-0003, \xe2\x80\x9cAdditional Details to Supplement Our Report on HUD\xe2\x80\x99s Fiscal Years\n2008 and 2007 Financial Statements,\xe2\x80\x9d issued November 14, 2008.\n\n\n                                                         6\n\x0c             that A-127 compliance reviews were conducted. HUD\xe2\x80\x99s policy was to complete\n             Circular A-127 compliance reviews of all of its financial systems within a 3-year\n             cycle. The tables below identify the number of Circular A-127 compliance\n             reviews required and completed since FY 2007 and when HUD\xe2\x80\x99s core financial\n             systems were last reviewed.\n\n\n                                                              Total Number of Number of A-127\n                               Number of A-127                   Financial    Reviews Required\n                             Reviews Completed by              Management      to Meet 3 year\n     Fiscal Year\n                                the OCFO Risk                Systems in HUD\xe2\x80\x99s  Requirement to\n                             Management Division             Financial System    Review all\n                                                                 Inventory        Systems *\n2007                                      2                          42              14\n2008                                      2                          42              14\n2009                                      3                          40              13\n2010 (through March\n                                          1                            40                       13\n2010)\nTotals                                    8                                                     54\n               Table 1 - Number of Circular A-127 compliance reviews completed/required\n                * Calculated as one-third of the financial management systems inventory\n\n\n\n          Core Financial Application                     Date of Last OMB Circular A-127 Review\nHUD\xe2\x80\x99s Centralized Accounting and Program\n                                                                         October 2003\nSystem (HUDCAPS)\nLine of Credit Control System (LOCCS)                                     July 2005\nProgram Accounting System (PAS)                                           July 2005\nHyperion                                                                 October 2003\nFinancial Data Mart                                                      Not reviewed\n         Table 2 \xe2\x80\x93 Date of last Circular A-127 compliance review for HUD\xe2\x80\x99s core financial systems\n\n\n\n             As shown in Table 1, only eight A-127 reviews were completed since 2007.\n             Table 2 points out that of the financial applications performing HUD\xe2\x80\x99s core\n             financial functions, two have not been reviewed for compliance with computer\n             security and internal controls within the last seven years, two have not been\n             reviewed within the last five years, and one application was never assessed.\n              OCFO no longer intends to assess all of HUD\xe2\x80\x99s financial management systems\n             for compliance with computer security and internal control requirements as stated\n             in OMB Circular A-127. Instead, OCFO plans to perform a self-assessment on\n             the HUDCAPS application and rely on the results of the OMB Circular A-123\n\n\n\n\n                                                    7\n\x0c                  compliance reviews 9 and the annual Federal Information Security Management\n                  Act (FISMA) review. Circular A-127 points out that agencies can leverage the\n                  results of the A-123 and FISMA reviews. However, the circular does not indicate\n                  that those reviews alone are sufficient to meet the A-127 review requirement.\n                  Neither the annual FISMA review nor the A-123 reviews adequately verify\n                  compliance with computer security and internal controls for all of HUD\xe2\x80\x99s\n                  financial management applications.\n\n                  OCFO officials stated that the evaluation of internal controls is not just an\n                  evaluation through one review; it is based on a series of ongoing actions, activities\n                  and events that occur throughout HUD\xe2\x80\x99s operations. The OIG agrees with this\n                  assessment and believes that this should include HUDCAPS as well as other\n                  financial management systems. OIG has reported for the last several years a\n                  significant deficiency on HUD\xe2\x80\x99s computing environment. OIG consistently\n                  identifies weaknesses in computer security controls over HUD\xe2\x80\x99s systems, and\n                  these weaknesses are typically not identified during A-123 and FISMA reviews.\n\n                  OMB Circular A-127, section 8, part E, states that agencies should perform an\n                  annual review of their financial management systems to verify compliance with\n                  computer security and internal controls. The circular suggests that agencies\n                  leverage the results of related reviews such as those required by FISMA and\n                  Circular A-123. Additionally, the circular states that agencies not using the latest\n                  version of a FSIO-certified system 10 may be required to perform self-assessments\n                  of their core financial system.\n\n                  OCFO officials stated that they were unable to find individuals with the necessary\n                  knowledge, skills, and abilities to perform the A-127 reviews. However, a\n                  contractor was not hired to perform the required reviews. Further, OCFO officials\n                  interpreted the term \xe2\x80\x9cleverage\xe2\x80\x9d in the revised Circular A-127 criteria as\n                  permission to rely on the FISMA and Circular A-123 reviews. OMB Circular A-\n                  123 reviews do not cover all the financial management systems. The OMB\n                  Circular A-127 statement, \xe2\x80\x9cAgencies that do not use the latest version of the FSIO\n                  certified system may be required to perform self assessments of their core\n                  financial system,\xe2\x80\x9d was interpreted to mean that only the core financial system\n                  needed to be reviewed. OCFO referred to HUDCAPS as its core financial\n                  system, and stated that it planned to perform a self assessment this system.\n                  However, there are five financial management systems (HUDCAPS, LOCCS,\n                  PAS, Hyperion, and the Financial Data Mart) that perform the key functions of a\n                  core financial management system. Because OCFO did not consider LOCCS,\n                  PAS, Hyperion and the Financial Data Mart to be core financial systems, it did\n                  not plan to perform self assessments for these systems.\n\n9\n  Circular A-123 compliance reviews ensure that resource use is consistent with laws, regulations, and policies;\nresources are safeguarded against waste, loss, and misuse; and reliable data are obtained, maintained, and disclosed\nin reports.\n10\n  A FSIO-certified system refers to the OMB Circular A-127 requirement that agencies use a core financial system\nthat is a COTS system that has been certified by FSIO as meeting the core financial system requirements.\n\n\n                                                          8\n\x0c           HUD\xe2\x80\x99s financial management systems process billions of dollars in housing\n           transactions. By not performing annual reviews of its financial management\n           systems to verify compliance with computer security and internal controls, HUD\n           increased its risk that monetary resources, such as payments and collections,\n           could be lost or stolen. Since at least 2007, OCFO has not completed a full cycle\n           of A-127 reviews, so the true security and internal control status of HUD\xe2\x80\x99s\n           financial systems is not known. As previously mentioned, HUD OIG reported\n           this issue in its FY 2008 financial statement audit report, but corrective action had\n           not been taken. Consequently, we are not including a new recommendation in\n           this report for this ongoing issue.\n\n\nFinancial Data Mart Was Not\nClassified as a Financial\nManagement System\n\n\n           OCFO did not include the Financial Data Mart in its inventory of financial\n           management systems and did not classify it as a financial management system\n           although it meets OMB Circular A-127\xe2\x80\x99s definition of a financial system. The\n           Financial Data Mart is a database application used by HUD for financial reporting\n           and to transfer data between HUDCAPS and Hyperion to produce HUD\xe2\x80\x99s\n           consolidated financial statements. Based upon the current data transfer process,\n           HUD\xe2\x80\x99s consolidated financial statements cannot be produced without the\n           Financial Data Mart.\n\n           OMB Circular A-127, section 9, part a, item 3, requires agencies to develop and\n           maintain an agency wide inventory of their existing and proposed financial\n           management systems and to provide FSIO with an annual inventory of their\n           financial management systems.\n\n           Section 5 of the circular defines a financial system as an information system that\n           may perform all of the financial functions, including general ledger management,\n           funds management, payment management, receivable management, and cost\n           management. It is also known as the system of record that maintains all\n           transactions resulting from financial events. It may be integrated through a\n           common database or interfaced electronically to meet defined data and processing\n           requirements. The core financial system is specifically used for collecting,\n           processing, maintaining, transmitting, and reporting data regarding financial\n           events. Other uses include supporting financial planning, budgeting activities,\n           and preparing financial statements. Any data transfers to the core financial\n           system must be traceable to the transaction source, posted to the core financial\n           system in accordance with applicable guidance from the Federal Accounting\n\n\n\n\n                                             9\n\x0c                  Standards Advisory Board 11 (FASAB), and configured in the data format of the\n                  core financial system.\n\n                  OCFO did not consider the Financial Data Mart to be a financial management\n                  system. After our specific inquiries regarding the rationale for this decision,\n                  OCFO reversed its longstanding position and decided that the Financial Data Mart\n                  was a financial management system.\n\n                  Because the Financial Data Mart was not included in HUD\xe2\x80\x99s inventory of\n                  financial management systems or classified as a financial management system, it\n                  was not assessed for compliance with computer security and internal controls as\n                  required by OMB Circular A-127, and inaccurate information regarding HUD\xe2\x80\x99s\n                  financial systems was provided to the Government Accountability Office (GAO),\n                  OMB, and FSIO. Further, financial management system inventory listings\n                  developed and maintained by OCFO were inaccurate.\n\n\n     Conclusion\n\n\n                  HUD did not fully comply with the requirements of OMB Circular A-127. HUD\n                  had not conducted all required reviews of its financial management systems, and\n                  accurately identified all of its financial management systems. These weaknesses\n                  occurred because of changes in requirements by OMB and misinterpretation of\n                  those requirements. By not meeting the financial system requirements of OMB\n                  Circular A-127, HUD could not be assured that its financial management systems\n                  were reasonably secured, met Federal internal control requirements, and\n                  effectively and reliably produced its annual financial statements.\n\n     Recommendations\n\n\n                  We recommend that the Office of the Chief Financial Officer\n                  1A.     Revise the financial management system inventory listing to include the\n                          Financial Data Mart as a financial management system.\n                  1B.     Review the Financial Data Mart for compliance with computer security\n                          and internal controls as required by OMB Circular A-127.\n\n\n\n\n11\n  The mission of the FASAB is to promulgate federal accounting standards after considering the financial and\nbudgetary information needs of citizens, congressional oversight groups, executive agencies, and the needs of other\nusers of federal financial information.\n\n\n                                                        10\n\x0cFinding 2: Concerns Remain Regarding HUD\xe2\x80\x99s Integrated Core\nFinancial System\nAlthough progress has been made, concerns remain regarding HUD\xe2\x80\x99s integrated core financial\nsystem. The contract for HIFMIP was awarded on September 23, 2010. However, lack of\nupdated planning documents could impact the18-month timeframe for completing the initial\nimplementation. Additionally, HUD\xe2\x80\x99s interpretation of its core financial system could impact\nfuture option periods for the HIFMIP contract. OCFO officials did not see a need to update the\nHIFMIP planning documents, and changes in OMB definitions led HUD to conclude that only\nHUDCAPS should be listed as its core financial system. This interpretation could prevent HUD\nfrom achieving its overall vision of completing a fully integrated core financial system.\n\n\n\n     HIFMIP Planning Documents\n     Were Not Updated to Reflect\n     Current Conditions\n\n\n                  In 2003, HUD initiated the HUD Integrated Financial Management Improvement\n                  Project (HIFMIP) to move to an integrated core financial system (ICFS) using\n                  PeopleSoft. 12 The original scope of the HIFMIP project was identified as a multi-\n                  year project to replace HUD\xe2\x80\x99s core financial system with a solution that integrated\n                  financial information HUD-wide. The plans affected 34 separate applications\n                  within the agency and 73 existing interfaces between computer systems, not\n                  including the interfaces that would need to be built for FHA and Ginnie Mae.\n\n                  The recommendations that resulted from the initial phase of the project were\n                  summarized within the document \xe2\x80\x9cHUD\xe2\x80\x99s Financial Management Vision,\xe2\x80\x9d which\n                  was issued in July 2005. The original project vision called for the replacement of\n                  HUD\xe2\x80\x99s Centralized Accounting and Program System (HUDCAPS) 13, Program\n                  Accounting System (PAS) 14, Hyperion 15, the Financial Data Mart 16 and the\n\n12\n  PeopleSoft is an integrated software package that provides a wide variety of business applications to assist in the\nday-to-day execution and operation of business processes. Each individual application, such as Financials,\nCustomer Relationship Management, and Human Resources, interacts with others to offer an effective and efficient\nmeans of working and reporting in an integrated fashion across the enterprise.\n13\n  HUDCAPS captures, reports, controls, and summarizes the results of the accounting processes, including budget\nexecution and funds control, accounts receivable and collections, accounts payable and general ledger.\n14\n  PAS is an integrated subsidiary ledger for HUD\xe2\x80\x99s grant, subsidy, and loan programs. PAS maintains accounting\nrecords based on receipt of funding authorizations from HUDCAPS, which generates transaction activity at different\nlevels.\n15\n   Hyperion is HUD\xe2\x80\x99s consolidated financial statement system. It captures, records, and summarizes HUD\xe2\x80\x99s\nfinancial results of operations across all business areas in accordance with the requirements defined by OMB, GAO,\nTreasury, Congress, and HUD program offices to fulfill HUD\xe2\x80\x99s quarterly and annual Treasury reporting\nrequirements.\n\n\n\n                                                         11\n\x0c                 portions of the Line of Credit Control System (LOCCS) 17 that related to core\n                 financial functions. The document included specific information regarding the\n                 justification for each application. It concluded that HUDCAPS, PAS, and\n                 LOCCS were not Office of Federal Financial Management 18 (OFFM) compliant\n                 applications and that they ran on outdated technology that was costly to maintain.\n                 It also included information regarding the fact that the reconciliation of\n                 HUDCAPS requires an \xe2\x80\x9cextraordinary effort\xe2\x80\x9d from HUD staff to accomplish\n                 monthly and at year end, and that the batch processing of financial transactions\n                 between PAS and HUDCAPS results in untimely financial information. In\n                 addition, the results of HUD\xe2\x80\x99s analysis concluded that the functionality provided\n                 by both Hyperion and the Financial Data Mart would be accomplished in a more\n                 efficient and integrated manner through replacement. The HIFMIP Vision\n                 document defined an integrated financial system for HUD as one that \xe2\x80\x9cshould\n                 ensure accountability and control of resources and produce accurate, consistent,\n                 timely and useful financial information while linking to program information.\xe2\x80\x9d It\n                 also stated that the system \xe2\x80\x9cshould also be able to measure performance and\n                 support informed decision making at all levels.\xe2\x80\x9d\n\n                 In addition, vision and requirements documents developed through FY 2005 had\n                 not been updated. Since then, a number of significant changes had been made\n                 within the HUD financial system environment. The table below provides\n                 examples of changes to HUD\xe2\x80\x99s financial system environment:\n\n\nSystem/Office             Acronym                             Description                          Type of Change\nName                                                                                               Made\nDisaster Recovery and     DRGR            HUD receives funds from Congress to assist               Added to the HUD\nGrants System                             communities and States in recovering from housing        financial system\n                                          and community problems due to Presidentially             environment\n                                          declared disasters. The DRGR system is used for\n                                          monitoring and tracking performance under the\n                                          Disaster Recovery Program.\nSubsidy and Grants        SAGIS           SAGIS automates the competitive and formula-based        Added to the HUD\nInformation System                        processes for allocating Public and Indian Housing       financial system\n                                          Office (PIH) program funds.                              environment\n\n\n\n\n16\n   The Financial Data Mart was created to provide a consolidated reporting environment of HUD\xe2\x80\x99s financial data to\nusers to create ad hoc queries and reports for analysis and execute canned financial reports.\n17\n  LOCCS supports OCFO and all HUD program offices in coordinating and controlling grant, loan, and subsidy\ndisbursements. The system is the CFO\xe2\x80\x99s primary vehicle for cash management while monitoring disbursements\naccording to the individual control requirements used by HUD program offices to ensure program compliance.\nLOCCS is both a payment control tool and a HUD post-award financial grants management system. LOCCS is also\nthe link that connects HUD\xe2\x80\x99s program management information systems to its program accounting data.\n18\n  The Office of Federal Financial Management (OFFM) within OMB is responsible for the financial management\npolicy of the Federal Government. OFFM responsibilities include implementing the financial management\nimprovement priorities of the President, establishing government-wide financial management policies of executive\nagencies, and carrying out the financial management functions of the CFO Act.\n\n\n                                                       12\n\x0cSystem/Office          Acronym                            Description                             Type of Change\nName                                                                                              Made\nHyperion               Hyperion       Hyperion is HUD\xe2\x80\x99s consolidated financial statement          Application was upgraded\n                                      system. It captures, records, and summarizes HUD\xe2\x80\x99s\n                                      financial results of operations across all business areas\n                                      in accordance with the requirements defined by OMB,\n                                      the Government Accountability Office, the U.S.\n                                      Department of the Treasury (Treasury), Congress, and\n                                      HUD program offices to fulfill HUD\xe2\x80\x99s quarterly and\n                                      annual Treasury reporting requirements.\nLoan Accounting        LAS/NLS        LAS/NLS performs the direct loan servicing activities       LAS/NLS replaced the\nSystem/ Northridge                    required to support HUD\xe2\x80\x99s Section 202 Housing for           Loan Accounting System\nLoan System                           the Elderly and Handicapped Loan Program and the            (LAS)\n                                      Section 201 Flexible Subsidy Programs.\nFed Traveler           Fed Traveler   FED Traveler is the travel system for government            Fed Traveler replaced the\n                                      travelers.                                                  HUD Travel Management\n                                                                                                  System (HTMS)\nDepartmental           DARTS          DARTS establishes, tracks, and collects account             DARTS was retired, and\nAccounts Receivable                   receivables for residual receipts, excess financing, and    its functionality was\nTracking/Collection                   miscellaneous payments for the Public Housing               integrated into LAS/NLS\nSystem                                Agencies/Indian Housing Authorities and Section 236\n                                      program receivables for Multifamily Excess Rental\n                                      Income.\nOffice of Federal      OFHEO          OFHEO required a separate interface with the                OFHEO was abolished in\nHousing Enterprise                    Financial Information and Management System                 2008.\nOversight                             (FIMS) for reporting.\n\n\n\n                OCFO officials did not see a need to update the vision and requirements\n                documents developed through FY 2005 because they believed that neither the\n                amount of time elapsed nor detail changes would alter the objectives that the\n                contractor would agree to perform for a fixed price. Further, OCFO officials\n                stated that the contract would include objectives to verify that HUD was current\n                with Federal requirements and to maintain that currency throughout the life of the\n                contract.\n\n                The vendor who won the HIFMIP contract will have to redefine the project plan\n                to detail how it will comply with current laws and regulations and establish the\n                corresponding implementation schedule. We are concerned however, that\n                timelines will slip and contract modifications will be requested since the contract\n                has only an 18-month window for accomplishing the initial implementation.\n                Within the 18-month window for accomplishing the initial implementation, the\n                contractor will have to update project documentation, reevaluate system interfaces\n                due to changes in HUD\xe2\x80\x99s computing environment over the years, and assess\n                changes in Federal requirements. Further, the contractor will need to determine\n                how the change of systems to be included in the project will impact this\n                implementation (HIFMIP originally called for the replacement of HUDCAPS,\n                PAS, LOCCS, Hyperion and the Financial Data Mart). Then there is the actual\n                implementation of the new integrated financial system.\n\n\n\n                                                   13\n\x0cOIG and OCFO Disagree on\nHow HUD\xe2\x80\x99s Core Financial\nSystem Should Be\nCharacterized\n\n\n\n          In the responses to GAO, OMB, and FSIO, OCFO listed the HUDCAPS\n          application as HUD\xe2\x80\x99s core financial system. However, we found that OCFO uses\n          five separate financial management systems to accomplish the core financial\n          system functions (collecting, processing, maintaining, transmitting, and reporting\n          data regarding financial events). These five financial management applications\n          are LOCCS, Hyperion, the Financial Data Mart, PAS, and HUDCAPS. LOCCS\n          provides grants management processing and authorized payment transactions to\n          the U.S. Department of the Treasury (Treasury); Hyperion transmits financial\n          information for treasury reporting, including the consolidated financial\n          statements; the Financial Data Mart receives vendor payee information from the\n          Central Contract Registration, which is used for standardized and ad hoc\n          reporting, and is the interface for financial transactions to be recorded in\n          Hyperion; and PAS transmits financial transaction information to HUDCAPS\n          through batch interfaces that occur nightly.\n\n          Although information referencing HUDCAPS, LOCCS, PAS, and Hyperion was\n          included within the write-up for HUDCAPS, the responses gave the impression\n          that there was only one financial system to produce the financial statements of the\n          program areas reported on by HUD\xe2\x80\x99s OCFO. We also noted that in\n          correspondence between OCFO and HUD OIG, dated January 2010, OCFO\n          identified the core financial applications as HUDCAPS, PAS, LOCCS, and\n          Hyperion. The Financial Data Mart was omitted.\n\n          The January 2009 version of OMB Circular A-127 defines a core financial system\n          as an information system that may perform all of the financial functions,\n          including general ledger management, funds management, payment management,\n          receivable management, and cost management. It is also known as the system of\n          record that maintains all transactions resulting from financial events. It may be\n          integrated through a common database or interfaced electronically to meet defined\n          data and processing requirements. The core financial system is specifically used\n          for collecting, processing, maintaining, transmitting, and reporting data regarding\n          financial events. Other uses include supporting financial planning, budgeting\n          activities, and preparing financial statements. Any data transfers to the core\n          financial system must be traceable to the transaction source, posted to the core\n          financial system in accordance with applicable guidance from the FASAB, and\n          configured in the data format of the core financial system.\n\n          The FSIO \xe2\x80\x9cCore Financial System Requirements Exposure Draft,\xe2\x80\x9d dated February\n          22, 2010, defines the capabilities of the core financial system as system\n\n\n\n                                          14\n\x0cmanagement, reimbursable management, fund balance with treasury management,\ncost management, receivable management, payment management, funds\nmanagement, general ledger management, and reporting management. It further\nstates that these capabilities may be tightly integrated as a single system or may\nbe stand-alone systems with information transferred among them.\n\nOIG disagrees with OCFO\xe2\x80\x99s interpretation of the revised definition for core\nfinancial applications contained in the 2009 version of OMB Circular A-127.\nOCFO maintained that because HUDCAPS was the official record of all financial\ntransactions at the conclusion of the fiscal yearend processing, it met the\ndefinition of core financial system. However, the core financial system\nrequirements relate to functionality. Financial transactions are entered into\nHUDCAPS nightly through batch processing. As a result, HUDCAPS alone does\nnot contain accurate data regarding HUD\xe2\x80\x99s financial transactions on a daily basis.\nFinancial data required on a daily basis must be obtained through multiple\napplications.\n\nOCFO acknowledged that HUDCAPS relies heavily on PAS, LOCCS, Hyperion\nand the Financial Data Mart to accomplish the core financial system functions,\nbut disputes OIG\xe2\x80\x99s interpretation that all five systems should be considered\ntogether as HUD\xe2\x80\x99s core financial system. OCFO also expressed concern that if all\nfive systems were classified as core, then once the base period of the HIFMIP\ncontract was completed, HUD would still be non-compliant with requirements to\nhave an integrated core financial system. The base period of the HIFMIP contract\nwill only replace HUDCAPS and PAS; LOCCS, Hyperion and the Financial Data\nMart will still exist. OCFO believes that reliance on these three remaining\nsystems will be significantly reduced upon completion of the base performance\nperiod of the HIFMIP contract, and that HUD will have a fully complaint\nintegrated core financial system as a result.\n\nThe roles that these applications will perform have not yet been officially defined\nby either HUD or the newly hired contractor. HUD has not conducted any further\nanalysis since it completed the work to identify the original scope of the HIFMIP\nproject and supporting documentation. Modifications to HUD\xe2\x80\x99s computing\nenvironment and the financial system software being utilized have not been taken\ninto consideration or analyzed. Consequently, the OIG remains concerned\nregarding the HIFMIP project.\n\nIn June 2010, OMB issued memorandum M-10-25, \xe2\x80\x9cReforming the Federal\nGovernment\xe2\x80\x99s Efforts to Manage Information Technology Projects.\xe2\x80\x9d This\nmemorandum directed executive departments and agencies to refrain from\nawarding new task orders or contracts for financial system modernization projects\npending review and approval by OMB. OMB reviewed HIFMIP and\nrecommended that HUD give additional consideration to its (1) categorization of\nrisk and mitigation strategies; (2) governance structure to ensure appropriate\nleadership is in place to support the project; and (3) funding strategy to give more\n\n\n\n                                 15\n\x0c             time to assess whether the current approach is viable. As a result of OMB\xe2\x80\x99s\n             recommendations, HUD agreed to re-scope HIFMIP to address only the\n             Department- level portion. Based on HUD\xe2\x80\x99s agreement to re-scope the project,\n             OMB approved the 18-month base period. Proposed changes to the scope of the\n             HIFMIP project are subject to OMB review and additional approvals will be\n             needed for the option periods associated with HIFMIP.\n\n\n\nConclusion\n\n\n             OCFO did not update HIFMIP planning documents, and did not consider core\n             financial system functionality when it interpreted OMB\xe2\x80\x99s revised definition of a\n             core financial system. These issues could prevent timely completion of the 18\n             month base period of the HIFMIP contract and negatively impact future option\n             periods.\n\n\nRecommendations\n\n\n\n             We recommend that the Office of the Chief Financial Officer\n             2A.    Work with the winning HIFMIP contractor to update the gap analysis to\n                    determine which applications should be maintained and update the\n                    HIFMIP documentation to detail the changes to HUD\xe2\x80\x99s financial system\n                    environment.\n             2B.    Ensure that the integrated core financial system (ICFS) addresses all core\n                    system requirements.\n\n\n\n\n                                             16\n\x0c                         SCOPE AND METHODOLOGY\n\nThe review covered the period October 1, 2009 through August 31, 2010. We performed the\naudit at HUD headquarters in Washington, DC, and from a remote location in Detroit, MI. Audit\nwork was conducted from March through August 2010.\n\nHUD has three separate program areas with financial information that must be consolidated to\nproduce financial statements that reflect its financial condition. These three areas: (1) FHA, (2)\nGinnie Mae, and (3) the remaining HUD program areas summarized by OCFO (i.e., PIH and\nCPD), each use separate financial applications to accomplish the required financial functions.\nWe limited the scope of our review to an assessment of the program areas with financial data\nsummarized by OCFO.\n\nWe reviewed the requirements of OMB Circular A-127, issued in January 2009, and compared\nthe requirements to those of the previously issued version, dated July 1993 and updated in 1999\nand 2004. We assessed HUD\xe2\x80\x99s compliance with the applicable OMB Circular A-127\nrequirements for the fiscal year ending September 30, 2009, and when possible, HUD\xe2\x80\x99s ongoing\nefforts to address the revised requirements that became effective October 1, 2009.\n\nWe conducted the audit in accordance with generally accepted government auditing standards.\nThose standards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our audit\nobjective. We believe that the evidence obtained provides a reasonable basis for our findings\nand conclusions based on our audit objective.\n\n\n\n\n                                                17\n\x0c                              INTERNAL CONTROLS\n\nInternal control is a process adopted by those charged with governance and management,\ndesigned to provide reasonable assurance about the achievement of the organization\xe2\x80\x99s mission,\ngoals, and objectives with regard to\n\n   \xe2\x80\xa2   Effectiveness and efficiency of operations,\n   \xe2\x80\xa2   Reliability of financial reporting, and\n   \xe2\x80\xa2   Compliance with applicable laws and regulations.\n\nInternal controls comprise the plans, policies, methods, and procedures used to meet the\norganization\xe2\x80\x99s mission, goals, and objectives. Internal controls include the processes and\nprocedures for planning, organizing, directing, and controlling program operations as well as the\nsystems for measuring, reporting, and monitoring program performance.\n\n\n\n Relevant Internal Controls\n               We determined that the following internal controls were relevant to our audit\n               objective:\n\n               \xe2\x80\xa2      Adherence to policies and procedures\n               \xe2\x80\xa2      Managerial oversight and monitoring\n               \xe2\x80\xa2      Reporting\n\n               We assessed the relevant controls identified above.\n\n               A deficiency in internal control exists when the design or operation of a control does\n               not allow management or employees, in the normal course of performing their\n               assigned functions, the reasonable opportunity to prevent, detect, or correct (1)\n               impairments to effectiveness or efficiency of operations, (2) misstatements in\n               financial or performance information, or (3) violations of laws and regulations on a\n               timely basis.\n\n Significant Deficiency\n               Based on our review, we believe that the following item is a significant deficiency:\n               \xe2\x80\xa2   HUD did not fully comply with OMB Circular A-127 requirements (finding\n                   1).\n\n\n\n\n                                                 18\n\x0c                   FOLLOW-UP ON PRIOR AUDITS\n\n\nAdditional Details to\nSupplement Our Report on\nHUD\xe2\x80\x99s Fiscal Years 2008 and\n2007 Financial Statements \xe2\x80\x93\nAudit Report 2009-FO-0003\n\n\n           HUD OIG is required to annually audit HUD\xe2\x80\x99s consolidated financial statements in\n           accordance with the Chief Financial Officers Act of 1990, as amended. The OIG\n           audit of HUD\xe2\x80\x99s FY 2008 and 2007 financial statements (audit report 2009-FO-0003)\n           concluded that HUD did not comply with FFMIA. It concluded that although it was\n           HUD\xe2\x80\x99s policy to complete OMB A-127 reviews of all HUD financial systems\n           within a 3-year cycle, HUD did not complete any of the planned 2007 and 2008\n           independent reviews of its financial management systems to verify compliance with\n           financial system requirements, identify system and procedural weaknesses, and\n           develop the corrective actions to address identified weaknesses. Additionally, HUD\n           only completed four independent reviews that were planned in 2006. As a result of\n           the issues cited, OIG issued a recommendation that HUD develop a plan to comply\n           with OMB A-127 review requirements, which results in the evaluation of all HUD\n           financial management systems within a 3-year cycle. This recommendation\n           remained unresolved as of August 31, 2010.\n\n\n\n\n                                           19\n\x0c                        APPENDIXES\n\nAppendix A\n\n        AUDITEE COMMENTS AND OIG\xe2\x80\x99S EVALUATION\n\n\nRef to OIG Evaluation      Auditee Comments\n\n\n\n\nComment 1\n\n\n\n\n                            20\n\x0cRef to OIG Evaluation   Auditee Comments\n\n\n\nComment 2\n\n\n\n\nComment 3\n\n\n\n\nComment 4\n\n\n\n\nComment 5\n\n\n\n\nComment 6\n\n\n\n\n                         21\n\x0cRef to OIG Evaluation   Auditee Comments\n\n\nComment 7\n\n\n\n\nComment 8\n\n\n\n\nComment 9\n\n\n\n\nComment 10\n\n\n\n\nComment 11\n\n\n\n\n                         22\n\x0cRef to OIG Evaluation   Auditee Comments\n\n\n\n\nComment 12\n\n\n\n\nComment 13\n\n\n\nComment 14\n\n\n\n\nComment 15\n\n\n\n\n                         23\n\x0cRef to OIG Evaluation   Auditee Comments\n\n\n\n\n                         24\n\x0c                         OIG Evaluation of Auditee Comments\n\nComment 1   We agree that OMB Circular A-127 allows agencies to leverage the results of the\n            OMB Circular A-123 and FISMA reviews. However, the circular does not\n            indicate that those reviews alone are sufficient to meet the A-127 review\n            requirement. OIG consistently identifies weaknesses in computer security\n            controls over HUD\xe2\x80\x99s systems, and these weaknesses are typically not identified\n            during A-123 and FISMA reviews.\n\nComment 2   The OIG\xe2\x80\x99s independent evaluation of HUD\xe2\x80\x99s overall information security\n            program is performed annually as part of its responsibility to address OMB\xe2\x80\x99s\n            FISMA questions.\n\nComment 3   OMB Circular A-127 requires that financial management systems be reviewed for\n            compliance with Federal computer security and internal control requirements.\n            While Circular A-123 reviews do assess internal controls, they are not performed\n            annually for each financial system. The OCFO stated in its response to this report\n            that HUD evaluated ten financial management systems in FY 2010 under its A-\n            123 annual assessment reviews. However, HUD has 43 financial management\n            systems. And as noted in the audit report, only eight A-127 reviews were\n            completed since 2007.\n\nComment 4   The OIG agrees with OCFO\xe2\x80\x99s assessment that the evaluation of internal controls\n            and security controls are not just an evaluation through one review, but a series of\n            ongoing actions, activities and events. The OIG believes that this should include\n            HUDCAPS as well as other financial management systems. OIG has reported for\n            the last several years a significant deficiency on HUD\xe2\x80\x99s computing environment.\n            OIG consistently identifies weaknesses in computer security controls over HUD\xe2\x80\x99s\n            systems, and these weaknesses are typically not identified during A-123 and\n            FISMA reviews.\n\nComment 5   Since at least 2007, OCFO has not completed a full cycle of A-127 reviews, so\n            the true security and internal control status of HUD\xe2\x80\x99s financial systems is not\n            known. As previously mentioned, HUD OIG reported this issue in its FY 2008\n            financial statement audit report, but corrective action had not been taken. We\n            hope that the OCFO will assess all of its financial management systems to comply\n            with the requirements of OMB Circular A-127.\n\nComment 6   The Director of OIG\xe2\x80\x99s Financial Audit Division advised OCFO on September 24,\n            2010 that HUD OIG does not consider the actions taken by the Department to be\n            sufficient. Consequently, he did not agree with closing the original\n            recommendation. Thus, there is no need to issue a new recommendation.\n\nComment 7   Although the OCFO has already taken action for these recommendations, the\n            findings were valid during the audit, and contributed to our determination of a\n            significant deficiency on HUD\xe2\x80\x99s computing environment. However, because\n\n\n\n                                             25\n\x0c              OCFO has already taken corrective action, and supporting documentation has\n              already been provided, the recommendation can be closed concurrently with the\n              management decision.\n\nComment 8     We commend the OCFO for taking corrective action once the deficiency was\n              brought to its attention. Supporting documentation can be submitted as part of the\n              management decision process, and if the documentation is sufficient, we can close\n              the recommendation concurrently.\n\nComment 9     Again, we commend the OCFO for taking corrective action once the deficiency\n              was brought to its attention.\n\nComment 10 Although the OCFO states that it does not concur with Finding 2, the concerns\n           raised by the OIG are legitimate concerns. OCFO acknowledges this in its\n           response and further states that any \xe2\x80\x9ccore financial system implementation should\n           raise concerns.\xe2\x80\x9d Finding 2 is appropriately titled \xe2\x80\x9cConcerns Remain Regarding\n           HUD\xe2\x80\x99s Integrated Core Financial System\xe2\x80\x9d because it expresses the OIG concerns\n           pertaining to HIFMIP. Therefore, we will not remove the finding and its\n           associated headings.\n\nComment 11 The OIG is pleased that OCFO will be incorporating each of the OIG\xe2\x80\x99s\n           recommendations.\n\nComment 12 It would be inappropriate to not present the full discussion of the concerns and\n           disagreements regarding the characterization of HUD\xe2\x80\x99s core financial system.\n           Therefore, as stated in OIG comment 10, we will not remove finding 2 or any of\n           its associated headings. We are pleased that OCFO agrees with our\n           recommendation.\n\nComment 13 See comment 12.\n\nComment 14 See comment 12.\n\nComment 15 As stated in OIG comment 10, we will not remove finding 2 or any of its\n           associated headings. We are pleased that OCFO agrees with our\n           recommendation.\n\n\n\n\n                                              26\n\x0c'